Closed Bug 785358 Opened 8 years ago Closed 8 years ago

Assertion failure: fe->isType(type), at methodjit/Compiler.cpp:7623


(Core :: JavaScript Engine, defect, critical)

Not set



Tracking Status
firefox15 --- wontfix
firefox16 --- wontfix
firefox17 --- wontfix
firefox18 --- fixed
firefox19 --- fixed
firefox20 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 18+ fixed


(Reporter: decoder, Assigned: bhackett1024)


(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:verify-branch=mozilla-esr17,ignore][adv-main18+][adv-esr17+])


(1 file)

The following test asserts on mozilla-central revision ad7963c93bd8 (options -m -a -n):

try {
a = []
function f(o) {
    o[5] = {}
    with(a) f()
} catch(exc1) {}
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   103051:bf07c6253287
user:        Brian Hackett
date:        Wed Aug 22 12:28:34 2012 -0600
summary:     Allow purging analysis-temporary while retaining jitcode, bug 778724. r=luke
CCing bhackett and luke by comment 1.
Group: core-security
Attached patch patchSplinter Review
Bug 778724 is innocent here, the different recompilation pattern it introduces exposed the bug.  This is a regression from bug 731398; this bug allows initializers in run-once scripts to produce objects with singleton type, which TI will not try to guess at the result until the initializer actually runs.  But JM will still treat these opcodes as definitely producing objects, a refinement of the type information which it shouldn't be doing.
Assignee: general → bhackett1024
Attachment #655357 - Flags: review?(dvander)
Attachment #655357 - Flags: review?(dvander) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1b0b56afa33a).
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
JSBugMon: This bug has been automatically verified fixed.
Confirmed assert on 2012-8-24, nightly jsshell

I can confirm fixed (or unable to reproduce) on jsshell for beta/Aurora/nightly, 2012-11-20. However, above comments say it was only fixed for 18. 

Is this correct? What would we expect to see here?
Assuming affected for 17 - decoder, do you mind rechecking if 17 is still affected?

(wontfix'ing for 16 since 17 is out of the door)
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:verify-branch=mozilla-release]
Whiteboard: [jsbugmon:verify-branch=mozilla-release] → [jsbugmon:verify-branch=mozilla-release,ignore]
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-release  (reproduced on revision 53fc01ba93c2).
Flags: needinfo?(choller)
Also trying to confirm for ESR17 branch.
Whiteboard: [jsbugmon:verify-branch=mozilla-release,ignore] → [jsbugmon:verify-branch=mozilla-esr17]
Whiteboard: [jsbugmon:verify-branch=mozilla-esr17] → [jsbugmon:verify-branch=mozilla-esr17,ignore]
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-esr17  (reproduced on revision 30b9dd4e9966).
Tracking for ESR 17 that will ship with Firefox 18 - can someone please nominate for esr17 approval (assuming this patch lands cleanly there) or prepare an esr17 patch?
Comment on attachment 655357 [details] [diff] [review]

[Approval Request Comment]
Fix Landed on Version: 18
Risk to taking this patch (and alternatives if risky): None
Attachment #655357 - Flags: approval-mozilla-esr17?
Attachment #655357 - Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
Whiteboard: [jsbugmon:verify-branch=mozilla-esr17,ignore] → [jsbugmon:verify-branch=mozilla-esr17,ignore][adv-main18+][adv-esr17+]
Can this be put in testsuite?
Flags: in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.